# -*- mode: spamassassin -*-

# This seems to catch a lot of spam, but not sure about false positive (from airmax.cf)
# pasc couldn't find any false positives on the lists he's on
header   X_MESSAGE_INFO exists:X-Message-Info
score    X_MESSAGE_INFO 4.0

# Added by pasc 2004/07/08 (sent by abuse@outblaze via karsten)
# host no longer exists according to administrator
header FAKE_OUTBLAZE_RCVD	Received =~ /\.mr\.outblaze\.com/
describe FAKE_OUTBLAZE_RCVD	Received header contains faked 'mr.outblaze.com'
score FAKE_OUTBLAZE_RCVD	3.0

# blarson 2005-01-19 (--pasc 2005-01-30)
header TRACKING         subject =~ /\b(?:tracking|package|shipping|shipment|delivery) number :/i
describe TRACKING       tracking number
score TRACKING          2

# Sent in by blars (20050220) -- applied by pasc
body GUEBDE     /http\:\/\/www\.gueb\.de\//
describe GUEBDE www.geub.de
score GUEBDE    5

# Don 2008-06-27
full	 PGPSIGNATURE	/-----BEGIN PGP SIGNATURE-----/
describe PGPSIGNATURE	Has a pgp signature (may not be valid, but who cares?)
score	 PGPSIGNATURE	-5


body WORD_WITHOUT_VOWELS  /\b[bcdfghjklmnpqrstvwxz]{6,20}\b/
describe WORD_WITHOUT_VOWELS Long word without any vowels
score WORD_WITHOUT_VOWELS 1

body DIGITS_LETTERS /(([abcdefghijklmnopqrstvwxyz]){1,9}\d{1,4}){2,9}/
describe DIGITS_LETTERS Mixed groups of letters followed by numbers
score DIGITS_LETTERS 1

# From http://www.exit0.us/index.php/FredsRules
# Added by pasc 2004/06/20

body      __FVGT_b_OBFU_J      /j(b|c|f|g|w)/i
body      __FVGT_b_OBFU_OTHER  /(vj|vk|xj|xk|yy|zf|zj)/i
body      __FVGT_b_OBFU_Q0     /(j|k|p|q|t|v|w|z)q/i
body      __FVGT_b_OBFU_Q1     /q(a|f|h|j|k|m|n|s|y)/i
body      __FVGT_b_OBFU_V      /(f|g|q|w)v/i
body      __FVGT_b_OBFU_X      /(c|g|j|k|q|s|v|z)x/i
body      __FVGT_b_OBFU_Z      /(f|j|k|p|q|x)z/i
meta      FVGT_m_MULTI_ODD     ((__FVGT_b_OBFU_J + __FVGT_b_OBFU_OTHER + __FVGT_b_OBFU_Q0 + __FVGT_b_OBFU_Q1 + __FVGT_b_OBFU_V + __FVGT_b_OBFU_X + __FVGT_b_OBFU_Z) > 1)
describe  FVGT_m_MULTI_ODD      FVGT - contains multiple odd letter combinations
score     FVGT_m_MULTI_ODD      0.02

# joy, 2003-07-20
header NEPEYO			From =~ /nepeyo\@catlover/
describe NEPEYO			spamvertizers
score NEPEYO			4

# cjwatson, 2003/07/28
header MP3_PLAYERS		Subject =~ /New mp3 player,usb flash drive/
describe MP3_PLAYERS		Spam from "HY Tech"
score MP3_PLAYERS		4

# joy, 2003-08-15
header UOSJUNK			Subject =~ /UOS online Degree Programme/i
describe UOSJUNK		Spam from UOS
score UOSJUNK			4

# cjwatson, 2004-02-27
body GAS_MILEAGE	/This amazing, revolutionary device|www\.mrev\.biz/
describe GAS_MILEAGE	Fuel-saving snake oil
score GAS_MILEAGE	3

# blarson, 2004-03-31
body FUELSAVER		/fuel.?saver/i
describe FUELSAVER	Fuel Saver spam
score FUELSAVER		3

# blarson, 2004-04-03
body CABLEFILTERZ	/cablefilterz/
describe CABLEFILTERZ	cablefilterz spam
score CABLEFILTERZ	4

# blarson 2004-04-15
header PARENNUM		subject =~ /^\(\s*([0-9\/]+\)|\%RND)/
describe PARENNUM	paren number in subject
score PARENNUM		3

# blarson 2004-04-25
# bounces our bounces.... (had negitive score)
header COVADRT		X-RT-Loop-Prevention =~ /^Covad$/
describe COVADRT	Covad request tracker bounces
score COVADRT		8

# blarson 2005-03-02
header ROBERTOJIMENOCA	from =~ /ROBERTOJIMENOCA\@terra\.es/
describe ROBERTOJIMENOCA ROBERTOJIMENOCA sends spammy looking messages
score ROBERTOJIMENOCA	-2

# blarson 2005-07-10
header TURBOPRO		subject =~ /\bturbonet pro\b/i
describe TURBOPRO	dialup accelerator spam
score TURBOPRO		3

# blarson 2006-04-28
header RESUBJECT	subject =~ /\sRe(?:\[\d+\])?:\s*$/i
describe RESUBJECT	re nothing
score RESUBJECT		2

# blarson 2004-10-22 2007-07-18 up score
header NOSUBJECT	subject =~ /^\s*$/
describe NOSUBJECT	No subject
score NOSUBJECT		2.5

# blarson 2006-10-17
full NEXTPART	/\-\=\_NextPart\_000\_/
describe NEXTPART	spammer mime separator
score NEXTPART		2.5

# blarson 2006-10-17	2009-04-30
full CT_IMAGE		/Content\-Type\:\s*image/i
describe CT_IMAGE	Picture attached
score CT_IMAGE		1.5

# blarson 2006-12-01 (score so low since it will also hit CT_IMAGE)
header CT_IMAGE_HEAD	content-type =~ /image/
describe CT_IMAGE_HEAD	entire message is image
score CT_IMAGE_HEAD	2.5


# don 2006-10-25
header THREADINDEX 	Thread-Index =~ /A-Z/
describe THREADINDEX 	thread-index header on spam
score	 THREADINDEX	1.5

# blarson 2006-10-30
header FORDASH		subject =~ /\bFor \- \d+/
describe FORDASH	for dash
score FORDASH		3

# blarson 2006-11-01
header KOREAN		subject =~ /\=\?koi8\-r/
describe KOREAN		Korean Character set spam
score KOREAN		2

# blarson 2006-12-04
header FWDNAME		subject =~ /fwd\: \w+\s*$/
describe FWDNAME	fwd: name spam
score FWDNAME		3

# blarson 2006-12-06
body NUMONLY		/^\s*\d+\s*$/
describe NUMONLY	number only body
score NUMONLY		1

# blarson 2007-04-24
header THUNDERB		User-Agent =~ /^Thunderbird 1\.5\.0\.10/
describe THUNDERB	spam missing content
score THUNDERB		2


# blarson 2007-06-15
header FAILNOTE		subject =~ /Failure notice\:/
describe FAILNOTE	bounced spam
score FAILNOTE		2

# blarson 2007-06-28
full CTINLINE	/^Content\-Disposition\: inline\;\b/
describe CTINLINE	Inline attachment
score CTINLINE		1

# blarson 2007-07-07
body BOXTRAPPER		/^This message is a reply to a boxtrapper verifcation message\./
describe BOXTRAPPER	boxtrapper spam
score BOXTRAPPER	9

# blarson 2007-07-09
body PROMOCODE		/^promo code\:/i
describe PROMOCODE	promo code
score PROMOCODE		3

# blarson 2007-07-11
body XLMAN		/\bwww\.xl\-man\.net\b/
describe XLMAN		xl-man spam
score XLMAN		3

# blarson 2007-07-12
body COSTUMER		/^Dear costumer\b/
describe COSTUMER	paypal scam
score COSTUMER		3

# blarson 2007-07-13
body PRIVATE		/^Your private and confidential message is attached\./
describe PRIVATE	private message
score PRIVATE		4

# don 2007-07-15
header AUTOGENERATE	auto-submitted =~ /auto/i
describe AUTOGENERATE	auto generated crap
score AUTOGENERATE	3

# blarson 2007-07-15
body PRIVPDF		/^All our private messages are in pdf format/
describe PRIVPDF	private pdf
score PRIVPDF		4

# don 2007-07-19
header AUTORESPOND	X-Autorespond =~ /./
describe AUTORESPOND	Automatic response
score	AUTORESPOND	4

header AUTOMAILER	X-Mailer =~ /autors/
describe AUTOMAILER	Auto response mailer
score AUTOMAILER	3	

# blarson 2007-07-22
header OUTOFOFFICE_SUB	subject =~ /Out_of_Office/
describe OUTOFOFFICE_SUB	broken autoresponder
score OUTOFOFFICE_SUB	6

body OUTOFOFFICE	/out of the office/i
describe OUTOFOFFICE	Out of the office
score OUTOFOFFICE	3

body OUTOFOFFICE_BACK   /will be back/i
describe OUTOFOFFICE_BACK   Out of the office
score OUTOFOFFICE_BACK   3

# blarson 2007-08-01 \w was too broad 2007-08-12 add dash, at least 3 digits
header SUBENDNUM	subject =~ /[a-zA-Z!]-?\d{3,}$/
describe SUBENDNUM	Subject ends in word989
score SUBENDNUM		2

# blarson 2007-07-27
body PRIVMES		/^You have been sent a private message/
describe PRIVMES	more pdf spam
score PRIVMES		3

# blarson 2007-07-27
header MIXEDBDN		Content-Type =~ /multipart\/mixed\;.*boundary\=\"\-{4,}\d{4,}\"/
describe MIXEDBDN	more pdf spam
score MIXEDBDN		1

# blarson 2007-07-28
header DOTZIP		subject =~ /\d\.zip\b/
describe DOTZIP		zip spam
score DOTZIP		3

# blarson 2007-07-30
header MIXED2		Content-Type =~ /multipart\/mixed\;charset\=iso\-8859\-1\;.*boundary\=\"\-\-\-\-\=\_\d{8,}\_\d{4,}\"/
describe MIXED2		more pdf spam
score MIXED2		2.5

# blarson 2007-07-31
header KEYENCE		From =~ /KEYENCE CORPORATION/
describe KEYENCE	opt out spam
score KEYENCE		10

# blarson 2007-08-02
header NOSUB		subject =~ /\(No Subject\)$/i
describe NOSUB		explicity no subject
score NOSUB		1

# blarson 2007-08-07
header CTPDF		Content-Type =~ /\bapplication\/pdf\;/i
describe CTPDF		more pdf spam
score CTPDF		4

# blarson 2007-06-12
header JAPSUB		subject =~ /\=\?iso\-2022\-jp/i
describe JAPSUB		subject in japanese
score JAPSUB		3

# blarson 2007-08-24
header XMSATT		X-MS-Has-Attach =~ /yes/i
describe XMSATT		more pdf spam
score XMSATT		2

# blarson 2007-10-27
body ICQ		/^icq\:/i
describe ICQ		icq:
score ICQ		2

# blarson 2007-11-02
header XJ2ID		X-J2Id =~ /\d+/
describe XJ2ID		fax bounce
score XJ2ID		4

# blarson 2007-11-15
header LONGWORD		subject =~ /\b[\w\d]{30,}/i
describe LONGWORD	long word in subject
score LONGWORD		2

# blarson 2007-11-23
header TESTIMONIAL	subject =~ /\btestimonial/i
describe TESTIMONIAL	testimonials
score TESTIMONIAL	2

# blarson 2007-12-13
header ITXS		subject =~ /\bit\`s\b/i
describe ITXS		it`s
score ITXS		4

# blarson 2007-12-18
rawbody TINYFONT	/\bFONT-SIZE\:\s+[123]px\;/i
describe TINYFONT	tiny font specified
score TINYFONT		3

# blarson 2008-04-03
full ZIPFILE		/\bfilename\=.*\.zip\b/i
describe ZIPFILE	zipfile attachment
score ZIPFILE		0.5

# blarson 2008-04-19
header SPACESUB		subject =~ /^\s\w/
describe SPACESUB	extra space before subject
score SPACESUB		0.5

# don 2008-05-04
header YAHOOCALENDAR	X-Yahoo-Newman-Property: =~ /calendar-invite/i
describe YAHOOCALENDAR	Calendar invite from yahoo; broken captcha
score YAHOOCALENDAR	4

# blarson 2008-06-03
header BOUNDARYID	content-type =~ /\bboundary\=\"Boundary_\(ID_/
describe BOUNDARYID	spamware boundary
score BOUNDARYID	0.6

# blarson 2008-07-02
body GBKXWFLXF		/\bgbkxwflxf\b/
describe GBKXWFLXF	gbkxwflxf
score GBKXWFLXF		5

# blarson 2008-09-07
body LUKSUS		/\bluksus\b/i
score LUKSUS		4
describe LUKSUS		Luksus

# disabled by don; was causing false positives
# probably needs to be modified to check if it really is ironport
# blarson 2008-09-22
# header XIRONPORT	X-IronPort-Anti-Spam-Filtered =~ /true/
# describe XIRONPORT	claims to be ironport filtered
# score XIRONPORT		2.5

# blarson 2008-10-13
header AUTORESPON	subject =~ /Auto_response/
describe AUTORESPON	Auto_response
score AUTORESPON	3

# blarson 2008-10-28
header XWUM		x-wum-to =~ /./
describe XWUM		X-WUM-TO
score XWUM		2

# cord 2008-10-31
# compensate false-positives for 140.Red-80-25-20.staticIP.rima-tde.net and stuff
header STATIC_RIMA_TDE	received =~ /staticIP\.rima-tde\.net/
describe STATIC_RIMA_TDE static IP from rima-tde.net
score STATIC_RIMA_TDE	-5

# cord 2008-11-30 # compensate LDO_SUBSCRIBER bonus for Forum2Mail-Gw
full NABBLE		/lists\@nabble\.com/
describe NABBLE		sent through nabble.com
score NABBLE		5

# don 2009-02-04
full HTML_NBSP		/(\&nbsp;){3,}/
describe HTML_NBSP	Lots of &nbsp;
score HTML_NBSP		2

# blarson 2009-02-19
header ENTIST          subject =~ /(?:e.?entist|o.?ctor)/i
describe ENTIST                (D)entit/(D)octor
score ENTIST           2

header THREADTOPIC     thread-topic =~ /./i
describe THREADTOPIC   Has a thread topic header
score THREADTOPIC      2

# [2009-04-14 cord]
# replacing old aol-rules from rc.spam

header AOL_SPAM1	from =~ /[0-9].*\@([^\@]+\.)?aol\.com/i
describe AOL_SPAM1	possible AOL-pretending spam, matching rule 1
score AOL_SPAM1		1

header AOL_SPAM2	from =~ /...........*\@([^\@]+\.)?aol\.com/i
describe AOL_SPAM2	possible AOL-pretending spam, matching rule 2
score AOL_SPAM2		1

header AOL_SPAM3	from =~ /.?.?\@([^\@]+\.)?aol\.com/i
describe AOL_SPAM3	possible AOL-pretending spam, matching rule 3
score AOL_SPAM3		1

header AOL_SPAM4	from =~ /[^a-zA-Z0-9]+.*\@([^\@]+\.)?aol\.com/i
describe AOL_SPAM4	possible AOL-pretending spam, matching rule 4
score AOL_SPAM4		1

# blarson 2009-04-15
body WEBMAIL		/\bwebmail\b/i
describe WEBMAIL	webmail
score WEBMAIL		1

# blarson 2009-04-17
header REFNO		subject =~ /\bref no\b/i
describe REFNO		Ref No
score REFNO		2

# blarson 2009-05-26
header INFOCOUK		to =~ /\b(?:info|winner|loan|lotto|grant|win)\@(?:info\.|winner\.|loan\.|lotto\.|hotmail\.|grant\.|win\.|yahoo\.|)(?:co\.uk|net|com|org)\b/
describe INFOCOUK	to info@co.uk
score INFOCOUK		3

# blarson 2009-05-27
body EXITAT		/\b(?:exit|rembox)\@(?:datalistsource|listsourcesworld|BestAccurateReliable|expertdatasystems|bestbizlists)\.\b/i
describe EXITAT		exit@datalistsource.com
score EXITAT		3

# blarson 2009-06-05
header TOINFO		to =~ /\binfo\@/
describe TOINFO		to info@
score TOINFO		1

# don 2009-07-06
header CONSTCONTACT	X-Mailer =~ /Constant Contact/i
describe CONSTCONTACT	Mail comming from constant contact, which doesn't require double opt-in
score CONSTCONTACT	5

# blarson 2009-08-16
meta CTBDN		(CT_IMAGE && MIXEDBDN)
describe CTBDN		CT_IMAGE && MIXEDBDN
score CTBDN		0.5

# don 2009-09-22
body NUMEMAIL		/\d{3,}\s+emails?/i
describe NUMEMAIL	Mail which mentions some number of e-mail addresses
score NUMEMAIL		2

# don 2009-11-25
header YAHOOCALENDAR	X-Yahoo-Calendar-IId: =~ /./
describe YAHOOCALENDAR	Mail comming from yahoo calendar, which spams us with updates
score YAHOOCALENDAR	5

# alex 2009-12-05
header TLOTTERY            subject =~ /Ticket no: [0-9]+/i
describe TLOTTERY          Lottery spam
score TLOTTERY             3

# alex 2009-12-05
header GLOTTERY            subject =~ /Google_L_o_t_t_e_r_y_W_i_n_n_e_r_s/i
describe GLOTTERY          Google Lottery spam
score GLOTTERY             3

# alex 2009-12-16 
header DOTNET		   subject =~ /Planning a Website Design\? Updates/
describe DOTNET		   .NET Spam
score DOTNET 		   3

# blarson 2010-02-02
body REMBOX		/\b(?:rembo[xt]|disappear|stopping|delrem|remfiles?|exit|takemeoff|offthelist|purgefile)\s?\@/
describe REMBOX		rembox
score REMBOX		3

# formorer 2010-01-23
header LONGTO           to =~ /([\S]+, ){15,}/
describe LONGTO		very long To line
score LONGTO		3

# formorer 2010-01-25
header VAULAS		subject =~ /cursos video aulas video/i
describe VAULAS		some spanish video spam
score VAULAS		3

# blarson 2010-01-28
header FROMWWW		from =~ /\bwww\./i
describe FROMWWW	from www.whatever
score FROMWWW		3

# blarson 2010-02-16
header FROMCASINO	from =~ /\bcasino/i
describe FROMCASINO	from casino
score FROMCASINO	3

# don 2010-06-10
header CTOCTET_STREAM	Content-Type =~ /octet-stream/i
describe CTOCTET_STREAM	Content type is octet-stream
score CTOCTET_STREAM	0.5

full RTF_ATTACH		/^Content-Disposition:.+name=.+\.(rtf|doc)/i
describe RTF_ATTACH	Contains an RTF or DOC Attachment
score RTF_ATTACH	2

meta RTF_SPAM		CTOCTET_STREAM && RTF_ATTACH
describe RTF_SPAM	Content type is octet-stream and has an RTF Attachment
score RTF_SPAM		3

# blarson 2010-10-11
header WORDDIGDIG      subject =~ /^\w{3,}\s+\d\s\d\s*$/
describe WORDDIGDIG    Word digit digit subject
score WORDDIGDIG       3

# don 2011-06-06
header BRACE_SUBJECT	Subject =~ /^\[\ [a-z0-9]{16}]\ /
describe BRACE_SUBJECT	16 length word in braces in the subject
score BRACE_SUBJECT	4

# formorer 2011-08-12
header COMPTESFR    subject =~ /concernant Compte SFR/i
describe COMPTESFR  concernant Compte SFR
score COMPTESFR     3

# formorer 2012-02-02
header BACKTOME	    subject =~ /Please get back to me/i
describe BACKTOME   Phrase get back to me
score BACKTOME	    4

# formorer 2012-12-10
header STEEL	    subject =~ /stainless steel cookware/i
describe STEEL	    who need steel cookware?
score STEEL	    4

# blarson 2012-02-23
header SINGLES		subject =~ /\bsingles\b/i
describe SINGLES	singles
score SINGLES		4

header CMAEOUT		X-CMAE-OUT-Score =~ /.+/
describe CMAEOUT	Cmae out
score CMAEOUT		3.5

# blarson 2012-05-05
body FBPHOTO		/\b(photo|pict?|image)\s+on\s+(fb|facebook)\b/i
describe FBPHOTO	facebook photo
score FBPHOTO		4

header TRADEME      subject =~ /Can you afford not to trade/
describe TRADEME    we don't trade
score TRADEME       4

# cord 2013-11-09
header PHPMAILER       X-Mailer =~ /PHPMailer/
describe PHPMAILER     X-Mailer: PHPMailer
score PHPMAILER                2

# formorer 2013-11-24
header FROMTWOO	from =~ /twoomail\.com/i
describe FROMTWOO	from twoomail
score FROMTWOO	3

# formorer 2014-07-31
header FROMCHICEXECS from =~ /ChicExecs/i
describe FROMCHICEXECS from ChicExecs
score FROMCHICEXECS 3

# formorer 2014-08-06
header LHELMOND from =~ /Luke Helmond/i
describe LHELMOND from Luke Helmond
score LHELMOND 4

# formorer 2014-08-06
header MAILCHIMP X-Mailer =~ /MailChimp Mailer/i
describe MAILCHIMP X-Mailer: MailChimp Mailer
score MAILCHIMP 3

# formorer 2014-08-29
body AVERMITTLUNG /Arbeitsvermittlungsagentur/i
describe AVERMITTLUNG Arbeitsvermittlungsagentur
score AVERMITTLUNG 4

# formorer 2014-08-29
body BEWSCHREIBEN /Bewerbungsschreiben/i
describe BEWSCHREIBEN Bewerbungsschreiben
score BEWSCHREIBEN 4

# formorer 2014-08-30
header FREELNCMR subject =~ /Freelancer Online Marketing/
describe FREELNCMR Freelancer Online Marketing
score FREELNCMR 4

# formorer 2014-09-03
header SOLUCIONESAMB subject =~ /SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP/
describe SOLUCIONESAMB SOLUCIONES AMBIENTALES: FIN AL MAL OLOR CON ENZILIMP
score SOLUCIONESAMB 5

# formorer 2014-11-17
header LYMBOO from =~ /\@lymboomail/
describe LYMBOO lymboomail learning spam
score LYMBOO 5

# formorer 2015-05-14
header LEARDINI from =~ /\@leardinigroup.com/
describe LEARDINI Microbiologia (SIM) spam
score LEARDINI 5

# don 2015-10-28
header INTERFAX from =~ /\@interfax.net/
describe INTERFAX Interfax spam
score INTERFAX 5

# don 2015-10-28
header FAX_SUBJECT subject =~ /fax/i
describe FAX_SUBJECT Interfax spam subject
score FAX_SUBJECT 1

meta FAX_ATTACHMENT ZIPFILE && FAX_SUBJECT && INTERFAX
describe FAX_ATTACHMENT Interfax fax attachment
score FAX_ATTACHMENT 10

